Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

WEBCAST - Google was victimized by hackers. Will you be next? Join us for this educational Webcast on Feb 25, 2010. Keynote by Peter Firstbrook, Gartner Analyst. Watch a step-by-step demo of how Chinese hackers attacked big name US companies. Learn how to protect your organization from such threats. Register Here: http://www.sans.org/info/54528

TOP OF THE NEWS

Google is reportedly enlisting the help of the National Security Agency (NSA) to analyze the recently disclosed attack on the company's computer networks with the ultimate goal of protecting the company and its customers from attacks in the future. The arrangement is still being finalized; the terms of any agreement between Google and the NSA will maintain Google customers' privacy. -http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057.html-http://www.nytimes.com/2010/02/05/science/05google.html?ref=technology[Editor's Note (Schultz): NSA and Google working together would have been unheard of only a few years ago. If this relationship proves productive, it will serve as a precedent that other corporations are likely to follow, provided, of course, that NSA does not get too intrusive with respect to Google's private information.

(Skoudis): I wish they'd share a little more information about the procedures they'll put in place to maintain customer's privacy. I'm not looking for the full details, perhaps just a general statement in the future explaining how they anonymize or otherwise protect user data when interacting with government agencies.

(Paller): There are two sides of NSA. One looks at data streams (or doesn't -- it's all very secret). The other side, and the one that is much more important for most of us, protects the DoD agencies and helps them clean up after exactly this type of attack. It is called the IAD (Information Assurance Division), and is run by one of the great leaders in information security, Dick Schaeffer. NSA's IAD has done more to protect other agencies and the public than all the other responsible federal agencies (NIST, DHS, NSF) combined. If I were asked by a company which agency to ask for help, I would give that company three facts: (1) NSA IAD is responsible for protecting all DoD agencies against exactly the same type of attack; they understand what to look for and how to respond. (2) It has, by far, the highest level of "in house" expertise. Other agencies contract for much of their expertise and that creates a powerful fear of disclosure of corporate secrets to other companies. (3) It is very good at keeping secrets. ]

In testimony before the US Senate Intelligence Committee, Director of National Intelligence Dennis C. Blair called the recently disclosed attack on Google's computer networks "a wake-up call to those who have not taken this problem seriously." Blair's testimony addressed a range of security issues, including cyber attacks. Blair noted that "malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication." Blair said that the government needs to work closely with the private sector and international authorities to protect cyber space. He urged companies to report cyber attacks as soon as they become aware of them to help the government become aware of the scope of such attacks. -http://www.nytimes.com/2010/02/03/us/politics/03intel.html?scp=2&sq=dennis%20blair&st=cse-http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=222600872-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/02/AR2010020203975.html[Editor's Note (Schultz): Efforts to have the US government partner with the commercial arena and international organizations have been initiated numerous times in the past, but they have not been all that successful. What will finally wake high-level government officials and senior management within the commercial arena to the need to get serious about dealing with information security risk is a widespread, prolonged, coordinated series of attacks designed to cripple the economy. Such attacks are inevitable--it is only a matter of time.

(Paller): The attacks are happening; thousands of US companies and agencies have been deeply penetrated; their networks are "contested territory;" but the public was not told. Now the stories are coming out and the general public is awakening. Note this sentence in the Jan., 26 editorial in the Christian Science Monitor (the editor is an avowed non-techy): "The stakes in the global cyber-war are at least as high as those in the global war on terror." Security people who have cried for years that they didn't have top management buy-in are like the proverbial dog that chases trucks. One of the trucks stops; the dog takes hold of it; and the driver looks down and says "Now what are you going to do with it?" Security people have begun hearing from their top executive, "You were right; it matters; now what are going to do to protect us?" Those who offer NIST-based FISMA compliance or other paper-based audits as a solution and those who think they are being useful by explaining why perfect security is impossible, will have very short security careers. ]

Discover how the Top 20 Critical Security Controls can deliver automated security and compliance to your organization's audit program. Register for this webcast today, brought to you by Qualys!http://www.sans.org/info/54533

(Skoudis): Wow! This is just so utterly modern, really showing how much the world has changed in ten years: hacking to steal carbon credits for illicit sale cripples trading registries? We've entered a new world. ]

Google to Drop IE 6 Support (February 3, 2010)

Google has announced that as of March 1, 2010, its applications will no longer support Internet Explorer 6 (IE 6). Although Google did not say so directly, the decision may have been influenced by recently disclosed attacks against Google and other US companies that exploited a vulnerability in IE 6. The attacks prompted public warnings in Germany, France and Australia against using IE 6. -http://www.msnbc.msn.com/id/35219388/ns/technology_and_science-security/[Editor's Note (Skoudis): It's about time. Kudos to Google for pushing this. IE 6 is really growing long in the tooth, and it is time to move on. ]

VoIP Hacker Pleads Guilty (February 3, 2010)

Edwin Andrew Pena has admitted to earning more than US $1 million by selling millions of voice over Internet protocol (VoIP) call minutes that were sent over stolen network resources. On Wednesday, Pena pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He could be sentenced to up to 25 years in prison and fined at least US $500,000. Between 2004 and 2006, Pena and an accomplice, Robert Moore, routed at least 10 million minutes of VoIP calls through providers' networks without permission. They gained access to those networks through brute force attacks (that worked because default passwords had not been changed) to determine security codes. They also routed the attacks through third party computers. Pena and Moore were arrested in 2006. Moore pleaded guilty to conspiracy to commit computer fraud and was sentenced to two years in prison. He has been released. -http://www.theregister.co.uk/2010/02/03/voip_hacker_guilty/

Study: Banking Passwords Often Used for Other Sites (February 2, 2010)

Nearly three-quarters of computer users have the same password for their online banking accounts that they have for other, less secure websites. Data drawn from 4 million users of Trusteer's Rapport browser security service indicates that 47 percent of users have the same usernames and passwords for multiple sites, including financial account sites. The implications are serious; if cyber thieves obtain login information for someone's social networking account, they have a good chance of being able to access that person's online financial accounts as well. -http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=222600800&subSection=Vulnerabilities+and+threats-http://www.theregister.co.uk/2010/02/02/e_banking_password_fail_survey/[Editor's Note (Skoudis): This is one of my biggest concerns with breaches of relatively unimportant web sites. Users so often synchronize their passwords. Thus, bad guys can grab passwords from unimportant sites and use them to access the same user's accounts at online banks. Worse yet, the bad guys can perform a little social networking research to find the enterprise employer of the user, and attempt to login to remote access facilities of the organization. That's a compelling reason for multi-factor authentication for enterprise remote access. ]**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/